1. Field of the Invention
The present invention relates to, in a client server/system in which many unspecified or specified clients are connected through a packet switched network to at least one unit of server computer, a server computer protection apparatus and method for controlling data transfer by the same which is well suitable for use in the realization of a function to prevent or detect illicit access to the server computer.
2. Description of the Related Art
A client/server system is available, in which a packet switched network connects many specified or unspecified clients to at least one server computer. This system incorporates a server-protecting apparatus that can prevent or detect illicit accesses to the server computer. The server-protecting apparatus comprises a mechanism provided between and connected to the clients and the server computer. The mechanism monitors data requests that the server computer receives from any client. When any client transmits a data request to the server computer, the mechanism determines whether the server computer will be overloaded if it accepts the request, from the number of data request that the server computer received for a unit of time in a specific period in the past.
FIG. 1 is a system block diagram for showing a positional relationship among clients, a packet switched network, the server, and a server computer protection apparatus. The server computer protection apparatus has a function which, when the apparatus is connected between the client and the server, protects a web server from a hacker's attack thereto. Some of the hacker's attacks access the server at a time to thereby increase loads on the server itself, thus disabling it.
A configuration example of this type of conventional server computer protection apparatus is shown in FIG. 2. In FIG. 2, in the conventional configuration, a server computer protection apparatus 10 comprises network interfaces 11A and 11B and connection/transfer means 12. The connection/transfer means 12 is made up of data request reception means 13, data request transmission means 14, server data request measurement means 15, threshold value holding means 17, threshold value comparison means 16, etc.
The network interface 11A has a function to transmit a packet to and receive it from a client through a network segment (A).
The network interface 11B has a function to transmit a packet to and receive it from a server computer through a network segment (B) and a function to send a data request passed from the data request transmission means 14 to the server computer and receive data from the server computer.
In the connection/transfer means 12, the data request reception means 13 has a function to exchange a packet with the network interface 11A and receive a data request sent from a client on behalf of a server.
The data request transmission means 14 has a function to receive a comparison result from the threshold value comparison means 16 and, if the comparison result indicates that the number of times a data request has been received which is measured by the server data request measurement means 15 is not in excess of a threshold value held in the threshold value holding means 17, transfer through the network interface 11B the data request received by the data request reception means 13 to an original server computer actually requested by the client for the data transfer.
The server data request measurement means 15 has a function to measure the number of times a data request, destined for a server computer, sent from a client received by the data request reception means 13 has been received by this transfer-destination server computer within a specific period in the past.
The threshold value holding means 17 has a function to hold the predetermined number of times of the request as a threshold value.
The threshold value comparison means 16 has a function to compare the number of times of the request measured by the server data request measurement means 15 and a threshold value of the number of times of the data request held in the threshold value holding means 17 to each other and then transmit a comparison result to the data request transmission means 14.
FIG. 3 is a table for showing one example of information stored in the threshold value holding means 17 of the server computer protection apparatus 10 described above, in which case it holds a network address of each of server computers to be protected and the number of times of the data request that can be processed by each of these server computers for each unit time (one minute in this case).
In the server computer protection apparatus having this configuration, it is supposed that in the threshold value holding means 17 are there held each of such server computers as shown in FIG. 2 to be protected and threshold values which indicate the number of times of the data request that can be processed by each of these server computers. That is, in an example shown in FIG. 3, as the protection-subject server computers are there present a server computer having network address “192.168.1.31” and that having network address “192.168.1.32” and also are there held threshold values “100” and “150” of the server computers having network addresses “192.168.1.31” and “192.168.1.32” respectively as the number of processable data requests within a unit time (one minute in this case).
It is here supposed that in this condition a certain client has sent a data request to the server computer having network address “192.168.1.31”.
A packet of the data request received by the network interface 11A is obtained by the data request reception means 13 on behalf of a server. The data request reception means 13 also responds to a connection request sent from clients. In this case, such a method is available that the data request reception means 13 uses as it is a network address of the server computer having network address “192.168.1.31” to thereby receive the data request sent from the client and also such a method is available that the client is explicitly notified of a different network address beforehand so that the client can send a data request destined for the server computer having network address “192.168.1.31” to this different network address to thereby permit the data request reception means 13 to receive this data request instead of the server.
The data request thus received by the data request reception means 13 is passed over to the data request transmission means 14. The server data request measurement means 15 measures beforehand the number of times the data request has been received, within a past constant period, by a server computer to which the data request is to be transferred.
In this case, it is supposed that at a moment when the data request received by the data request reception means 13 is passed over to the data request transmission means 14, the number of times the data request has been received by the server computer having network address “192.168.1.31” within a past one minute is measured by the server data request measurement means 15 is “85”.
In this condition, the data request transmission means 14 makes an inquiry to the threshold value comparison means 16. The threshold value comparison means 16 compares and collates a threshold value “100” of the server computer having network address “192.168.1.31” held in the threshold value holding means 17 and the number of times of the data request of “85” measured by the server data request measurement means 15 to each other and then passes over to the data request transmission means 14 a comparison result which indicates that the measured number of times of the data request is not more than the threshold value because the number of times of the data request of “85” measured by the server data request measurement means 15 is not in excess of the threshold value “100” of the server computer having network address “192.168.1.31”.
When having received from the threshold value comparison means 16 the comparison result indicating that the measured number of times of the data request is not more than the threshold value, the data request transmission means 14 sends (transfers) a packet of the data request to the server computer having network address “192.168.1.31” through the network interface 11B. In this case, the data request transmission means 14 processes also a request for connection to the server computer.
The server computer having network address “192.168.1.31” sends data corresponding to the data request received from the client through the server computer protection apparatus 10. This data thus sent from the server computer is received through the network segment (B) by the network interface 11B and then passed through the network interface 11A over to the requesting client. In this case, if the client is explicitly notified beforehand of a different address used by the data request reception means 13, the data to be sent from the network interface 11A to the client is sent thereto actually in a form of response from this different address. Furthermore, in a case where such a method is employed that the data request reception means 13 uses as it is the network address of the server computer having network address “192.168.1.31” to thereby receive a data request sent from the client, the data from the server computer having network address “192.168.1.31” received by the network interface 11B is sent to the requesting client through the network interface 11A after a header's port No., a sequence No., a check sum of a packet which carries the data are rewritten.
In such a manner, a data request sent from the client is sent to the server computer, which in turn passes data corresponding to the request over to the client.
Next, it is supposed that at another moment, when a data request received by the data request reception means 13 is passed over to the data request transmission means 14, the number of times, measured by the server data request measurement means 15, a data request has been received by the server computer having network address “192.168.1.31” within the past one minute is, for example, “103”. In this condition, the data request transmission means 14 makes an inquiry to the threshold value comparison means 16. The threshold value comparison means 16 compares and collates the threshold value of “100” of the server computer having network address “192.168.1.31” held in the threshold value holding means 17 and the number of times of the data request of “103” measured by the data request measurement means 15 to each other and then passes over to the data request transmission means 14 a comparison result which indicates that the measured number of times of the data request has exceeded the threshold value because the number of times of the data request of “103” measured by the server data request measurement means 15 is in excess of the threshold value of “100” of the server computer having network address “192.168.1.31” held in the threshold value holding means 17.
When having received from the threshold value comparison means 16 the value of comparison which indicates that the measured number of times of the data request is in excess of the threshold value, the data request transmission means 14 abandons the packet of the data request received from the data request reception means 13.
The conventional server computer protection apparatus described above, however, has the following problems. That is, the conventional server computer protection apparatus needs to set as a threshold value beforehand the number of times of the data request that can be processed by each of server computers within a specific period. However, since the number of times of the data request that can be processed by the server computer within the constant period depends largely on the contents of a data request etc., it is difficult to set an appropriate threshold value, so that if a misappropriate threshold value is set, such a problem occurs that the server computer cannot be protected or, even if it can be protected, the throughput of the server cannot be utilized to the full.
Although such a server computer protection apparatus may be contemplated that, in order to set the threshold value automatically, a time lapse required to receive a response from a server computer is measured so that if no response is received within a specific time, it can be decided that the number of times of the data request that can be processed by a server is exceeded, to thus use the average number of times of the data request acquired at this moment as a threshold value or that a server is mounted thereon with means for measuring a load of a server computer so that the average number of times of the data request acquired at a moment when the load on the server computer has reached at least a constant value may be used as a threshold value, if the number of requests from a client has increased rapidly nevertheless, the average number of the data request becomes far distant in value from the number of times of the data request that can be processed by the server in the specific period, so that if the average number of times of the data request is used as the threshold value, there would occur such a problem that the throughput of the server cannot be utilized to the full or the server cannot be protected.